Example #1
0
  /**
   * Establishes the user associated with the operation.
   *
   * @param context the assertion operation context
   * @throws NotAuthorizedException if authentication was required
   * @throws AsnInsufficientPrivilegeException if the user has insufficient privilege
   * @throws AsnUnestablishedUserException if the user could not be established
   */
  public void establishUser(AsnContext context)
      throws NotAuthorizedException, AsnUnestablishedUserException {

    // initialize
    this.setWasUserEstablished(false);
    AsnOperation operation = context.getOperation();
    User user = context.getRequestContext().getUser();

    // establish the user part of the operation
    if (operation.getUserPart() == null) {
      operation.setUserPart(new AsnUserPart());
    }
    operation.getUserPart().setIPAddress(context.getRequestOptions().getIPAddress());
    AsnAuthPolicy authPolicy = operation.getAuthPolicy();
    if (authPolicy.getAuthenticationRequired()) {
      if ((user == null) || !user.getAuthenticationStatus().getWasAuthenticated()) {
        throw new NotAuthorizedException("Not authorized.");
      }
    }
    if ((user == null) || !user.getAuthenticationStatus().getWasAuthenticated()) {
      operation.getUserPart().setName(AsnConstants.ANONYMOUS_USERNAME);
      this.setWasUserEstablished(true);
    } else {
      String key = Val.chkStr(user.getKey());
      if (key.length() > 0) {
        operation.getUserPart().setKey(key);
        if (user.getLocalID() >= 0) {
          operation.getUserPart().setID("" + user.getLocalID());
          String name = Val.chkStr(user.getName());
          if (name.length() > 0) {
            operation.getUserPart().setName(name);
            this.setWasUserEstablished(true);
          }
        }
      }
    }
    if (!this.getWasUserEstablished()) {
      throw new AsnUnestablishedUserException();
    }

    // check the admin database for a disabled user:ipaddress or user:key

    // check the admin index for moderation privileges

  }
Example #2
0
  /**
   * Determines if the user can perform an action.
   *
   * @param context the assertion operation context
   * @param policy the authorization policy
   * @param assertion the active assertion
   * @param action the action
   * @return true if the user can perform the action
   */
  private boolean canAct(
      AsnContext context, AsnAuthPolicy policy, Assertion assertion, String action) {

    // ensure an authorization policy
    if (policy == null) {
      return false;
    }

    // check the user, ensure an authenticated user if required
    User user = context.getRequestContext().getUser();
    boolean userWasAuthenticated = false;
    if ((user != null) && user.getAuthenticationStatus().getWasAuthenticated()) {
      userWasAuthenticated = true;
    }
    if (policy.getAuthenticationRequired() && !userWasAuthenticated) {
      return false;
    }

    // determine the write principals (creation or modification)
    AsnPrincipals principals = null;
    boolean isWrite = false;
    if (action.equals(AsnAuthorizer.ACTION_CREATE)) {
      isWrite = true;
      principals = policy.getCreatePrincipals();
    } else if (action.equals(AsnAuthorizer.ACTION_DELETE)) {
      isWrite = true;
      principals = policy.getDeletePrincipals();
      if (assertion == null) return false;
    } else if (action.equals(AsnAuthorizer.ACTION_DISABLE)) {
      isWrite = true;
      principals = policy.getEnableDisablePrincipals();
      if (assertion == null) return false;
      if (!assertion.getSystemPart().getEnabled()) return false;
    } else if (action.equals(AsnAuthorizer.ACTION_ENABLE)) {
      isWrite = true;
      principals = policy.getEnableDisablePrincipals();
      if (assertion.getSystemPart().getEnabled()) return false;
      if (assertion == null) return false;
    } else if (action.equals(AsnAuthorizer.ACTION_QUERY)) {
      principals = policy.getQueryPrincipals();
    } else if (action.equals(AsnAuthorizer.ACTION_UPDATE)) {
      isWrite = true;
      principals = policy.getQueryPrincipals();
      if (assertion == null) return false;
      if (!assertion.getSystemPart().getEnabled()) return false;
    }
    if ((policy == null) || (principals == null)) {
      return false;
    }

    // hard check to ensure an authenticated user for any modifications
    // (regardless of configuration)
    if (isWrite && !userWasAuthenticated) {
      return false;
    }

    // check "any user" user privilege
    if (principals.contains(AsnConstants.PRINCIPAL_ANY)) {
      return true;
    }

    // check administrator privilege
    if (userWasAuthenticated) {
      if (principals.contains(AsnConstants.PRINCIPAL_ADMINISTRATOR)) {
        RoleSet roles = user.getAuthenticationStatus().getAuthenticatedRoles();
        if (roles.hasRole("gptAdministrator")) {
          return true;
        }
      }
    }

    // check for ownership
    if (userWasAuthenticated && (assertion != null) && assertion.getWasReadFromIndex()) {
      if (principals.contains(AsnConstants.PRINCIPAL_OWNER)) {
        String asnUserKey = Val.chkStr(assertion.getUserPart().getKey());
        String userKey = Val.chkStr(user.getKey());
        if ((asnUserKey.length() > 0) && asnUserKey.equals(userKey)) {
          return true;
        }
      }
    }

    return false;
  }